Bug 1122895 - [Docs][Bugfix][Admin]Improve descriptions of certs in the Replacing the RHEV-M SSL Certificate chapter
Summary: [Docs][Bugfix][Admin]Improve descriptions of certs in the Replacing the RHEV-...
Status: CLOSED DUPLICATE of bug 1416232
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation
Version: 3.4.0
Hardware: x86_64
OS: Linux
Target Milestone: ovirt-4.1.1
: ---
Assignee: rhev-docs@redhat.com
QA Contact: Andrew Burden
: 1146775 (view as bug list)
Depends On:
Blocks: 1156381
TreeView+ depends on / blocked
Reported: 2014-07-24 10:39 UTC by Lukas Zapletal
Modified: 2019-05-07 13:13 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Build Name: 22464, Administration Guide-3.3-1 Build Date: 29-04-2014 13:00:50 Topic ID: 10782-591943 [Specified]
Last Closed: 2017-02-07 07:55:12 UTC
oVirt Team: Docs

Attachments (Terms of Use)

Description Lukas Zapletal 2014-07-24 10:39:38 UTC
Title: Replacing the Red Hat Enterprise Virtualization Manager SSL Certificate

Describe the issue:

In case the certificate has been generated by internal IT authority, certificate files can be provided in various naming conventions. This section is unclear about which files contain what data.

For example the first command:

mv YOUR-3RD-PARTY-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem

It's not clear what the YOUR-3RD-PARTY-CERT.pem file contains. Is this the authority CA cert? Is this the cert issued? With or without appended private key?

Suggestions for improvement:

In the prerequisite section, I'd appreciate full list (table) of all the input files with descriptions of the content.

Comment 1 Julie 2014-09-29 05:30:49 UTC
*** Bug 1146775 has been marked as a duplicate of this bug. ***

Comment 2 Marco Grigull 2014-10-02 07:57:40 UTC

It might be worthwhile providing a hierarchical map of all of the keys, signing requests and certificates in all of their formats, and the services that use them (for restarting) and any file permissions needed.  It would also be good to know what opsnssl.conf settings are needed for each certificate and what constraints are required by the CA for RHEVm

This would then be detailed with steps for every one of those components.  A few of these components have been documented in kbase articles [1].  In GSS case 01217776 we leaned how to restore apache.cer and apache.key.nopass from a .p12 store [2]

This would allow both customers and GSS to determine both how to replace CA certs and all follow on certificates and to repair broken installations.


#openssl pkcs12 -passin "pass: PASSWORD  " -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
# openssl pkcs12 -passin "pass:  PASSWORD  " -nocerts -nodes -in
/etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass
# chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass

Other parts to include are what certificate chains are needed (by clients and other components) where especially where the custom CA cert might a third tier certificate.

Comment 3 Marco Grigull 2014-10-02 08:13:42 UTC
If replacing certificates on a established system is at home in the administration guide as opposed to being part of a deployment guide then it is imperative that all of the components for SSL are exposed

Comment 5 Andrew Dahms 2015-09-03 00:37:52 UTC
Changing status back to 'New' until re-assignment.

Comment 7 Yaniv Lavi 2016-05-09 11:02:27 UTC
oVirt 4.0 Alpha has been released, moving to oVirt 4.0 Beta target.

Comment 11 Lucy Bopf 2017-02-07 07:55:12 UTC
Closing this as a duplicate of bug 1416232, which tracks multiple feedback back items for this section.

*** This bug has been marked as a duplicate of bug 1416232 ***

Note You need to log in before you can comment on or make changes to this bug.